ozgur/python-firebase

python-firebase requires your Firebase Secret to be embedded in code?

Closed this issue · 2 comments

If I understand this library correctly, you're using the Secret to dynamically generate a token for use with the REST API.

The firebase-token-generator code, which you've copied into this library, says this:

"IMPORTANT: Because token generation requires your Firebase Secret, you should only generate tokens on trusted servers. Never embed your Firebase Secret directly into your application and never share your Firebase Secret with a connected client."

https://github.com/firebase/firebase-token-generator-python

Doesn't using your library with authentication require that you do indeed 'embed your Firebase Secret directly into your application'?

If you could confirm that my understanding is right, I can give you a Pull Request which allows the use of a token without using the secret.

Got this back from the firebase guys, so I guess this is apparently OK as long as your server is trusted.

"It's fine (and expected) to use your Firebase Secret in your trusted server code. You just shouldn't put it anywhere that gets sent to the user (in your html / javascript, in a mobile app, etc.).

It's not as applicable to the python client, since most of the code you write in python is probably trusted server code, so it's fine to include the secret. But for our other token generators (java, javascript, etc.) we've had issues with people accidentally leaking their secret by improperly using it in code that gets sent to their users."

But I still don't like the idea :) So I've made a couple of mods to your code which allow me to use a more fine-grained role-specific token-based approach. I'll send in a Pull Request with the changes.